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Abstract- We present an approach to the problem of verification of 
epistemic properties in multi-agent systems by means of symbolic model 
checking. In particular, it is shown how to extend the technique of un- 
bounded model checking from a purely temporal setting to a temporal- 
epistemic one. In order to achieve this, we base our discussion on in- 
terpreted systems semantics, a popular semantics used in multi-agent 
systems literature. We give details of the technique and show how it can 
be applied to the well known train, gate and controller problem. 
Keywords: model checking, unbounded model checking, multi-agent 
systems 


1 Introduction 

Verification of reactive systems by means of model-checking techniques [3] is 
now a well-established area of research. In this paradigm one typically models 
a system S in terms of automata (or by a similar transition-based formalism), 
builds an implementation Ps of the system by means of a model-checker friendly 
language such as the input for SMV or PRO MEL A, and finally uses a model- 
checker such as SMV or SPIN to verify some temporal property (f> the system: 
Mp (= where Mp is a temporal model representing the executions of Ps. 
As it is well known, there are intrinsic difficulties with the naive approach of 
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performing this operation on an explicit representation of the states, and refine- 
ments of symbolic techniques (based on OBDD’s, and SAT [1] translations) are 
being investigated to overcome these hurdles. Formal results and corresponding 
applications now allow for the verification of complex systems that generate tens 
of thousands of states. 

The field of multi-agent systems (MAS) has also recently become interested 
in the problem of verifying complex systems. In MAS the emphasis is on the 
autonomy, and rationality of the components, or agents [22]. In this area, modal 
logics representing concepts such as knowledge, beliefs, intentions, norms, and 
the temporal evolution of these are used to specify high level properties of the 
agents. Since these modalities are given interpretations that are different from 
the ones of the standard temporal operators, it is not straightforward to ap- 
ply existing model checking tools developed for standard Linear Temporal Logic 
(LTL) (or Computation Tree Logic , CTL) temporal logic to the specification of 
MAS. One further problem is the fact that the modalities that are of interest 
are often not given a precise interpretation in terms of the computational states 
of the system, but simply interpreted on classes of Kripke models that guaran- 
tee (via frame-correspondence) that some intuitive properties of the system are 
preserved 1 . This makes it hard to use the semantics to model any actual com- 
putation performed by the system [21]. For the case of knowledge, the semantics 
of interpreted systems [8], popularized by Halpern and colleagues in the 90’s, 
can be used to give an interpretation to the modalities that maintains the tradi- 
tional S5 properties, while, at the same time, is appropriate for model checking 
[9]. Indeed, a considerable amount of literature now exists on the application 
of interpreted systems and epistemic logic to the application areas of security, 
modelling of synchronous, asynchronous systems, digital rights, etc. It is fair to 
say that this area constitutes the most thoroughly explored, and technically ad- 
vanced sub-discipline among the formal studies of multi- agent systems available 
at the moment. 


1.1 State of the art and related literature 

The recent developments in the area of model checking MAS can broadly be 
divided into streams: in the first category standard predicates are used to inter- 
pret the various intensional notions and these are paired with standard model 
checking techniques based on temporal logic. Following this line is for example 
[23] and related papers. In the other category we can place techniques that make 
a genuine attempt at extending the model checking techniques by adding other 
operators. Works along these lines include [19, 20, 12, 17, 16, 15, 14, 10]. 

In [19] local propositions are used to translate knowledge modalities on LTL 
structures. Once this process is done, the result can be fed into a SPIN model 

1 For example, in epistemic logic it is customary to use equivalence models to interpret 
a knowledge modality K so that it inherits the properties of the logical systems S5 
[2]; in particular axioms T,.4, and 5 (which are considered to be intuitively correct 
for knowledge) result valid. 
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checker. Unfortunately, in this approach local propositions need to be computed 
by the user. 

These works were preceded by [12], where van der Meyden and Shilov pre- 
sented theoretical properties of the model checking problems for epistemic lin- 
ear temporal logics for interpreted systems with perfect recall. In particular, it 
was shown that the problem of checking a language that includes “until” and 
“common knowledge” on perfect recall systems is undecidable, and decidable 
fragments were identified. 

In [17, 16, 15] an extension of standard temporal verification via model check- 
ing on obdd’s to epistemic and deontic operators is presented and studied. 

In [14, 10] an extension of the method of bounded model checking (one of the 
main SAT-based techniques) to CTLK a language comprising both CTL and 
knowledge operators, was defined, implemented, and evaluated. While prelimi- 
nary results appear largely positive, any bounded model checking algorithm is 
mostly of use when the task is either to check whether a universal CTLK for- 
mula is actually false on a model, or to check that an existential CTLK formula 
is valid. This is a severe limitation in MAS as it turns out that many of the 
most interesting properties one is interested in checking actually involve univer- 
sal formulas. For example, in a security setting one may want to check whether 
it is true that forever in the future a particular secret, perhaps a key, is mutually 
known by two participants. 


1.2 Aim of this paper 


The aim of this paper is to contribute to the line of SAT-based techniques, by 
overcoming the intrinsic limitation of any bounded model checking algorithm, 
and provide a method for model checking the full language of CTLK. The SAT- 
based method we introduce and discuss here is an extension to knowledge and 
time of a technique introduced by McMillan [11] called unbounded model checking 
(UMC). A byproduct of the work presented here is the definition of fixed point 
semantics for a logic CTL P K, which extends CTLK by past operators. 

Like any SAT-based method, UMC consists in translating the model checking 
problem of what is in this case a CTL P K formula into the problem of satisfia- 
bility of a propositional formula. UMC exploits the characterization of the basic 
modalities in terms of Quantified Boolean Formulas (QBF) , and the algorithms 
that translate QBF and fixed point equations over QBF into propositional for- 
mulas. In order to adapt UMC for checking CTL P K, we use three algorithms. 
The first one, implemented by the procedure for all [11] (based on the Davis- 
Putnam-Logemann-Loveland approach [4]) eliminates the universal quantifier 
from a QBF formula representing a CTL p K formula, and returns the result in 
conjunctive normal form (CNF). The remaining algorithms, implemented by the 
procedures gfp and Ifp calculate the greatest and the least fixed points for the 
modal formulas in use here. Ultimately, the technique allows for a CTL P K for- 
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mula a to be translated into a propositional formula [a](tu) 2 in CNF, which 
characterizes all the states of the model, where a holds. 

For the case of CTL it was shown by McMillan [11] that model checking via 
UMC can be exponentially more efficient than approaches based on BDD’s in 
two situations: 

— whenever the resulting fixed points have compact representations in CNF, 
but not via BDD’s; 

— whenever the SAT- based image computation step proves to be faster than 
the BDD-based one. 

Although we do not prove it here, we expect a similar increase in efficiency for 
model checking of CTL p K over interpreted systems. 

The rest of the paper is structured in the following manner. Section 2 in- 
troduces interpreted systems semantics, the semantics on which we ground our 
investigation. The logic CTL P K is defined in Section 3. Section 4 summarize the 
basic definitions that we need for CNF and QBF formulas, and fixes the notation 
we use throughout the paper. A fixed point characterization of CTL P K formulas 
is presented in Section 5. The main idea of symbolic model checking CTL P K is 
described in section 6, where algorithms for computing propositional formulas 
equivalent to CTL P K formulas are also given. Two examples on the use of the 
algorithms of this paper are given in Section 7. Preliminary experimental results 
are shown in Section 8, whereas conclusions are given in Section 9. 

2 Interpreted systems semantics 

Any transition- based semantics allows for the representation of temporal flows 
of time by means of the successor relation. For example, UMC for CTL uses 
plain Kripke models [11]. To work on a temporal epistemic language, we need to 
consider a semantics that allows for an automatic representation of the epistemic 
relations between computational states [21]. The mainstream semantics that 
allows to do so is the one of interpreted systems [8]. 

Interpreted systems can be succinctly defined as follows (we refer to [8] for 
more details). Assume a set of agents A — {l,...,n}, a set of local states L* 
and possible actions Acti for each agent % E A, and a set L e and Ad e of local 
states and actions for the environment. The set of possible global states for the 
system is defined as G — Li x . . . x L n x L e , where each element (Zi, . . . , l n , le) 
of G represents a computational state for the whole system (note that, as it 
will be clear below, some states in G may actually be never reached by any 
computation of the system). Further assume a set of protocols Pi : Li — * 2 Actt , 
for i = 1 , . . . ,n, representing the functioning behaviour of every agent, and a 
function P e : L e — ► 2 Acte for the environment. We can model the computation 
taking place in the system by means of a transition function t : G x Ad — * G, 

2 Note that w is a vector of propositional variables used to encode the states of the 
model. 
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where Act C Act\ x . . . x Act n x Act e is the set of joint actions. Intuitively, given 
an initial state the sets of protocols, and the transition function, we can build 
a (possibly infinite) structure that represents all the possible computations of 
the system. Many representations can be given to this structure; since in this 
paper we are only concerned with temporal epistemic properties, we shall find 
the following to be a useful one. 

Definition 1 (Models). Given a set of agents A = {l,...,n}, a temporal 
epistemic model (or simply a model,) is a pair M = (/C, V) with 1C = (G, W, T, ~x, 

* * * t)> where 

— G is the set of the global states for the system (henceforth called simply 
states ); 

— TCGxGisa total binary (successor) relation on G ; 

— W is a set of reachable global states from i 7 i.e., W = {s G G | (t, s) G T*} 3 , 

— C G x G (i e A) is an epistemic accessibility relation for each agent 

i e A defined by s s' iff li(s') — k(s), where the function li : G — » L t 

returns the local state of agent i from a global state s ; obviously is an 
equivalence relation , 

— l €W is the initial state; 

— V : G — ► 2 VVk is a valuation function for a set of propositional variables 
Wk such that true G V(s) for all s G G. V assigns to each state a set of 
propositional variables that are assumed to be true at that state. 

Note that in the definition above we include both all possible states and the 
subset of reachable states. The reason for this follows from having past modalities 
in the language (see the next section), which are defined over any possible global 
state so that a simple fixed point semantics for them can be given. Still, note 
that, if required, it is possible to restrict the range of the past modalities to 
reachable states only by insisting that the target state is itself reachable from 
the initial state. 

By |M| we denote the number of states of M, by IN = {0, 1,2,.. .} the set of 
natural numbers and by 1N+ = {1, 2, . . .} the set of positive natural numbers. 

Epistemic relations . When we consider a group of agents, we are often interested 
in situations in which everyone in the group knows a fact a. In addition to this it 
is sometimes useful to consider other kinds of group knowledge. One of these is 
the one of common knowledge. A group of agents has common knowledge about 
a if everyone knows that a, and everyone knows that everyone knows a, and 
everyone knows that everyone knows that everyone knows that a, and so on. 
For example common knowledge is achieved following information broadcasting 
with no faults. A different notion is the one of distributed knowledge (some- 
times referred to as “implicit knowledge”, or 1 "wise-man” knowledge). A fact a 
is distributed knowledge m a group of agents if it could be inferred by pooling 
together the information the agents have. We refer to [8] for an introduction to 
these concepts. 

3 T* denotes the reflexive and transitive closure of T. 
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Let r C A. Given the epistemic relations for the agents in J 1 , the union 
of r * s accessibility relations defines the epistemic relation corresponding to the 
modality of everybody knows: ^p= Uicr ~p denotes the transitive closure 
of and corresponds to the relation used to interpret the modality of common 
knowledge. Notice that from reftexivity of follows that is, in fact, the 
transitive and reflexive closure of ~f. The relation used to interpret the modal- 
ity of distributed knowledge is given by taking the intersection of the relations 
corresponding to the agents in T. 

Computations . A computation in M is a possibly infinite sequence of states 
7r = (so, si, • . -) such that (s*, $i+ 1 ) € T for each i € IN. Specifically, w^e assume 
that (sijSi+i) G T iff s i+ i = t($ i7 acti ), i.e., Si + i is the result of applying the 
transition function t to the global state s*, and a joint action acti . All the com- 
ponents of acti are prescribed by the corresponding protocols Pj for the agents 
at Si. In the following we abstract from the transition function, the actions, and 
the protocols, and simply use.T, but it should be clear that this is uniquely de- 
termined by the interpreted system under consideration. Indeed, these are given 
explicitly in the example in the last section of this paper. In interpreted systems 
terminology a computation is a part of a run; note that we do not require so 
to be an initial state. For a computation 7r = (so,si,---)> let 7r(fc) = Sfc, and 
7r k = (so, • - . , Sfc), for each k e IN. By 77(s) we denote the set of all the infinite 
computations starting at s in M. 

3 Computation Tree Logic of Knowledge with Past 
(CTL P K) 

Interpreted systems are traditionally used to give a semantics to an epistemic 
language enriched with temporal connectives based on linear time [8]. Here we 
use Computation Tree Logic (CTL) by Emerson and Clarke [7] as our basic 
temporal language and add an epistemic and past component to it. We call the 
resulting logic Computation Tree Logic of Knowledge with Past (CTL P K). 

Definition 2 (Syntax of CTL P K). LetWK be a set of propositional variables 
containing the symbol true. The set of CTL P K formulas TOIZM is defined 
inductively by using the following rules only: 

• every member p of Wk is a formula , 

• if a and ft are formulas , then so are ->a, a A (3 and aVj), 

• if a and (5 are formulas 7 then so are AXa, AGo, and A(aU/3), 

• if a is formula , then so are AYa and AHa, 

• if a is formula , then so is K*a, for i € A, 

• if a is formula , then so are Cpa } and Epa, for T C A. 

The other modalities are defined by duality as follows: 

- EFa = f -AG-a, EPa = f -iAH->a, EZa = f -AZ-a, for Z € {X,Y}, 
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— K*a = -tK^a, Dpa == ->Dp-ia, Cpa = -»Cp->a, Epa == ->Ep”»a. 

Moreover, a => 0 d ~ -.a V/?, a 0 d = (a /5) A (/3 => a), and false ^ -4;rue. 
We omit the subscript P for the epistemic modalities if T = A, i.e., P is the set 
of all the agents. As customary X, G stand for respectively “at the next step”, 
and “forever in the future” . Y, H are their past counterparts “at the previous 
step”, and “forever in the past”. The Until operator U, precisely aU0, expresses 
that 0 occurs eventually and a holds continuously until then. 


Definition 3 (Interpretation of CTL P K). Let M = (/C, V) be a model with 
JC = (G, W, T, . . . , ~ n , l), s G G a state , i r a computation , and a, 0 formulas 
of CTLpK. M, s (= a denotes that a is true at the state s in the model M. M is 
omitted , if it is implicitly understood . The relation (= is defined inductively as 
follows: 

s hP iffp£V($), 

5 f= -*a iff s ^ a, 

s |= a V 0 iff s |= a or s (= 0, 

s |= a A 0 iffs (= a and s \= 0, 

s 1= AXa iff V7T G II(s ) 7r(l) \= a, 

s |= AGa iff V7T € II(s) V m > 0 n (m) (= a, 

s |= A(aU/3) iff Vtt G I7($) (3 m > 0 [7r(m) \= 0 and V i<m i r(j) (= a]), 

s |- AYa iff Vs' G G (if (s', s) G T, then s' |= a), 

s |= AHa iff Vs' G G (i/ (s',s) G T*, then s' (= a), 

s K*a iff Vs' G IV (i/ s s', then s' |= a), 

s |= Dpa iff Vs' £W (if s ~p s', then s' |= a), 

s j= Epa iff Vs' G IV (i/ s ~p s', then s' f= a), 

s |= Cpa iff Vs' G IV (i/ $ ~p s', then s' j= a). 


Definition 4. (Validity) A CTL p K formula <p is valid in M (denoted M f= ip) 
iff M, i (= p , i.e., <p is true at the initial state of the model M. 


Notice that the past component of CTL P K does not contain the modality Since , 
which is a past counterpart of the modality Until denoted by U. Extending the 
logic by Since is possible, but complicates the semantics, so this is not discussed 
in this paper. 


4 Formulas in Conjunctive Normal Form and Quantified 
Boolean Formulas 

In this section, we shortly describe Davis-Putnam-Logemann-Loveland approach 
[4] to checking satisfiability of formulas in conjunctive normal form (CNF), and 
show how to construct a CNF formula that is unsatisfiable exactly when a propo- 
sitional formula a is valid. Having done so, we apply these two methods to com- 
pute a propositional formula equivalent to the quantified boolean formula Vu.a, 
where v is a vector of propositions. In order to do this we first give some basic 
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definitions. The formalism in this section is from [11] and is reported here for 
completeness. 

Let VV be a finite set of propositional variables. A literal is a propositional 
variable p G VV or the negation of one: -ip,p G VV. A clause is a disjunction 
of a set of zero or more literals 2[1] V . . . V l[n]. A disjunction of zero literals is 
taken to mean the constant false. A formula is in a conjunctive normal form 
(CNF) if it is a conjunction of a set of zero or more clauses c[l] A ... A c[n]. A 
conjunction of zero clauses is taken to mean the constant true. An assignment 
is a partial function from VV to {true, false}. An assignment is said to be 
total when its domain is VV. A total assignment A is said to be satisfying for 
a formula a when a(A) = true, i.e., the value of a given by A is true (under 
the usual interpretation of the boolean connectives). We equate an assignment 
A with the conjunction of a set of literals, specifically the set containing ~>p for 
all p G dom(A) such that A(p) = false, and p for all p G dom(A) such that 
A(p) — true. 

For a given CNF formula a and an assignment A, an implication graph 
IG(A, a) is a maximal directed acyclic graph (V,E)> where V is a set of ver- 
tices, and E is a set of edges, such that: 

— V is a set of literals, 

— every literal in A is a root, 

— for every vertex l not in A, the CNF formula a contains the clause 

d(/, A, a) = l V -im ’ 

— for all p G VV, V does not contain both p and -i p. 

Notice that the above conditions do not uniquely define the implication graph. 
We denote by A a the assignment induced by the implication graph IG(A,a), 
i.e., A a = /\ ve y v , where V is a set of vertices of IG(A, a). Observe that A a is 
an extension of A. Furthermore, a A A implies A a . 

Given two clauses of the form c[l] — p V Ci and c[ 2] — ->p V C 2 , where C\ 
and C 2 are disjunctions of literals, we say that the resolvent of c[l] and c[ 2] is 
Ci V C 2 , provided that C\ V C 2 contains no contradictory literals, i.e., it does 
not contain a variable p and its negation -ip. If this happens, the resolvent does 
not exist. Note that the resolvent of c[l] and c{ 2] is a clause that is implied by 
c[l]Ac[2]. 

CNF formulas satisfy useful properties to check their satisfiability. Indeed, 
notice that a CNF formula is satisfied only when each of its clauses is satisfied 
individually. Thus, given a CNF formula a and an assignment A, if a clause 
in a has all its literals assigned value false, then A cannot be extended to a 
satisfying assignment. A clause that has all its literals assigned to value false 
is called a conflicting clause. We also say that a clause is in conflict when all 
of its literals are assigned the value false under A a . If there exists a clause in 
a such that the all but one of its literals have been assigned the value false, 
then the remaining literal must be assigned the value true for this clause to 
be satisfied. In particular, in every satisfying assignment which is an extension 
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of the assignment A , the unassigned literal must be true. Such an unassigned 
literal is called' unit literal , and the clause it belongs to is called a unit clause. 

There are several algorithms for determining satisfiability of CNF formulas. 
Here, we use the algorithm proposed by Davis and Putnam and later modified 
by Davis, Logemann and Loveland [4]. The algorithm is based on the methods of 
Boolean constraint propagation (BCP) and conflict-based learning (CBL) and it 
is aimed at building a satisfying assignment for a given formula a in an incremen- 
tal manner. The BCP technique is the most important part of the algorithm; it 
determines a logical consequence of the current assignment by building an impli- 
cation graph and detecting unit clauses, and conflicting clauses. When a conflict 
is detected, as we mentioned above, the current assignment cannot be extended 
to a satisfying one. In this case, the technique of conflict-based learning is used 
to deduce a new clause that prevents similar conflicts from reoccurring. This 
new clause is called a conflict clause atnd is deduced by resolving the existing 
clauses using the implication graph as a guide. 

The following is a generic conflict-based learning procedure that takes an 
assignment A , a CNF formula a, and a conflicting clause c and produces a 
conflict clause by repeatedly applying resolution steps until either a termination 
condition T is satisfied, or no further steps are possible. We elaborate on the 
condition T below when we discuss how the procedure deduce is used by the 
procedure foralL 

procedure deduce (c, A, a) , 

while -iT and exists l G c such that ~>l £ A 
let c— resolvent of cZ(-^/,A, a) and c 
return c 

The resulting clause c is implied by a. Thus it can be added to a without 
changing its satisfiability. 

In the following we show a polynomial-time algorithm that, given a proposi- 
tional formula a, constructs a CNF formula which is unsatisfiable exactly when 
a is valid. The procedure works as follows. First, for every /? subformula of 
the formula a (including a itself) we introduce a distinct variable Ip. If (3 is a 
propositional variable, then Ip = f3. Next we assign a formula CAfT{l3) to every 
subformula (3 according to the following rules: 

• if f3 is a variable then CAf!F{( 3) = true, 

• if = ~y<j> then CAfT{(f) = CAf!F{<j>) A {Ip V 1$) A (-<4 V -i4)> 

• if /?==</> v (p then CAfF^) = GAfT{4>) A CAfT{ip) A ( Ip V -<4) A {Ip V ->4) A 
(pip v 4 v 4)> 

• if p — <p A (p then CAfiF(l3) — CAfT{<f>) A CAJ J- ((p) A {-'ip v 1$) A {-dp V 4) A 
{Ip V -<4 v “ , 4)> 

• if = cf> -> <p then CAfT{0) = CAfT{<j>) A CAfT{v) A {Ip V 1+) A {Ip V -. 4 ) A 
Hp V -*4 v W* 
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It can be shown [11] that the formula a is valid when the CNF formula CM F (a) f\ 
-*l a is unsatisfiable. This follows from the fact that there is a unique satisfying 
assignment A! of CM T (a) consistent with A such that A'(Z a ) = a (A). 

In our method, in order to have a more succinct notation for complex op- 
erations on boolean formulas, we also use Quantified Boolean Formulas (QBF), 
an extension of propositional logic by means of quantifiers ranging over proposi- 
tions. In BNF: a p | ->a \ a A a | 3p.a | Vp.a. The semantics of the quantifiers 
is defined as follows: 

• 3p.a iff a(p true) V a(p *— false), 

• Vp.a iff a(p <— true) A a (p false), 

where a £ QBF, p e W and a(p t- 0) denotes substitution with the formula 
^ of every occurrence of the variable p in formula a. 

We will use the notation Vu.a, where v — (u[l], . . . ,u[m]) is a vector of 
propositional variables, to denote Vt>[l].Vu[2] . . . Vu[ra].a. 

What is important here, is that for a given QBF formula Vu.a, we can con- 
struct a CNF formula equivalent to it by using the algorithm forall [11]. 

procedure forall(v, a), where v = (u[l], ..., u[m]) and a is a propositio- 
nal formula 

let (f> = CMF(a) A , x = true, and A = 0 
repeat 

if <j> contains false, return x 
else if some c in <j> is in conflict 
add clause deduce(c, A, <j>) to <fr 
remove some literals from A 
else if A$ is total 

choose a blocking clause d 
remove literals of form u[i] or ^v[i] from d 
add d to <p and x 
else 

choose a literal l such that l £ A and ~*l £ A 
add l to A 


The procedure works as follows. Initially it assumes an empty assignment 
A , a formula x to be true and ^ to be a CNF formula CM F {a) A The 
algorithm aims at building a satisfying assignment for the formula <^, i.e., an 
assignment that falsifies a. The search for an appropriate assignment is based 
on the Davis-Putnam-Logemann-Loveland approach. The following three cases 
may happen: 

— A conflict is detected, i.e., there exists a clause in <f) such that all of its literals 
are false in A&. So, the assignment A can not be extended to a satisfying 
one. Then, the procedure deduce is called to generate a conflict clause, which 
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is added to 0, and the algorithm backtracks, i.e., it changes the assignment 
A by withdrawing one of the previously assigned literals. 

— A conflict does not exist and A <f> is total, i.e., the satisfying assignment is 
obtained. In this case we generate a new clause which is false in the current 
assignment A<f> and whose complement characterizes a set of assignments 
falsifying the formula a. This clause is called a blocking clause and it must 
have the following properties: 

• it contains only input variables, i.e., the variables over which the input 
formula a is built, 

• it is false in the current assignment, 

• it is implied by l a A CJ\fJ 7 {a). 

A blocking clause could be generated using the conflict- based learning proce- 
dure, but we require the blocking clause to contain only input variables. To 
do this we use an implication graph, in which all the roots are input literals. 
Such a graph can be generated in the following way. Let A# be a satisfying 
assignment for 0, A! = A^ | V, i.e., A ' is the projection of A $ onto the input 
variables and let 0' = CAfT(a) Ax- It is not difficult to show that A = A<j>, 
i.e., both the graphs I G(A',0') and IG(A, 0) induce the same assignments. 
Furthermore, the variable l a is in conflict in IG(A',0'), since 0 contains the 
clause Thus, a clause deduce(l a , A f ,0 ; ) is a blocking clause providing 
that it contains only input variables, what can be ensured by a termination 
condition T . 

Next, in order to quantify universally over the variables u[l], . . . , v[m], the 
blocking clause is deprived of the variables either of the form v[i\ or the 
negation of these. This is sufficient as the blocking clause is a formula in 
CNF. Then, what remains is added to the formulas 0 and x a &d the algorithm 
continues, i.e., again finds a satisfying assignment for 0. 

— The first two cases do not apply. Then, the procedure makes a new assign- 
ment A by giving a value to a selected variable. 

On termination, when 0 becomes unsatisfiable, x * s a conjunction of the 
blocking clauses and precisely characterizes Vu.a. 

Theorem 1 . Let a be a propositional formula and v = (u[l], . . . , v[m}) be a 
vector of propositions, then the QBF formula Vv.ayis logically equivalent to the 
CNF formula forall(v , a). 

The proof of the above theorem follows from the correctness of the algorithm 
forall (see [11]). 

Example 1. We illustrate in a quite detailed way (as performed by a solver) some 
basic operations of the procedure forall. To make it simple, we explain these 
operations for a formula in CNF. So, let 0 = (-»ui) A (iq V u 4 V -1U5) A (~<U2 V 
U3) A (u 4 V vs) and assume that 0 = CAfT(a) A -»Z Q for some formula a. The aim 
of the procedure for all (v i,a) is to find a formula in CNF equivalent to Vui .a. 
We will only show how one blocking clause is generated and added to 0 and 
X • Notice that at the start of the procedure the assignment of v\ is implied as 
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this variable is the only literal in a clause of <j> and must be followed in order 
for the clause to be satisfied. Thus, we have A — {-nn}. Now, the algorithm 
decides the assignment for another unassigned variable, say A(v 2) = true. This 
implies the assignment of t; 3 , namely A(v$) = true, so that the clause (-^2 V u 3 ) 
is satisfied. Next, an assignment A{vf) — false is decided, but notice that this 
implies both vs (because of the clause (14 V V5)) and -W5 (because of the clause 
(v\ Vn 4 V-^ 5 )) - a conflict The implication graph is analysed (several algorithms 
can be applied [ 13 ]) and a learned, clause (ui V vd) is generated and added to 
the working set of clauses (i.e., (j>). Notice, that the variables V2 and V3 are not 
responsible for this conflict. The learned clause greatly reduces the number of 
assignments to be examined as the partial assignment -^4} is excluded 
from the fixture search irrespectively on valuations of the remaining variables. 
Next, the algorithm withdraws from the assignment of V4. Notice that the learned 
clause implies A(uft — true. Thus, a satisfying assignment that is found is 
A<p = {~'V\,V 2 ,V Z ,V4,V h }. 

A blocking clause (i>i V -^4) is generated and the literal v\ is removed from 
this clause. We obtain the blocking clause d = (-'V4) and d is added to (j) and x* 
The procedure keeps on going until f does not contain false. 

5 Fixed point characterization of CTL P K 

In this section we show how the set of states satisfying any CTL P K formula 
can be characterized by a fixed point of an appropriate function; We follow and 
adapt, when necessary, the definitions given in [ 3 j. 

Let M = (( G , W, T, ^1, . . ; , ~ n , t), V) be a model. Notice that the set 2 G of 
all subsets of G forms a lattice under the set inclusion ordering. Each element 
G r C Q of the lattice can also be thought of as a predicate on G, where the 
predicate is viewed as being true for exactly the states in G'. The least element 
in the lattice is the empty set, which corresponds to the predicate false, and 
the greatest element in the lattice is the set G, which corresponds to true. A 
function r mapping 2 G to 2 G is called a predicate transformer . A set G f C G is 
a fixed point of a function r : 2 ° — ► 2 G if r(G') = G'. 

Whenever r is monotonic (i.e., when P C Q implies r(P) C r(Q)), r has 
a least fixed point denoted by /iZ.r(Z), and a greatest fixed point, denoted 
by vZ.t(Z). When r is monotonic and (J-continuous (i.e., when Pi C P 2 C 
... implies t^P*) = Ui r (Fi)), then fxZ.r(Z) — r l (false). When r is 
monotonic and (^continuous (i.e., when Pi 2 ft 2 ••• implies T(f) i Pi) = 
fli r (Pi)) J then vZ.r{Z) = f\>o rl ( true ) ( see l 18 ))- 

In order to obtain fixed point characterizations of the modal operators, we 
identify each CTL P K formula a with the set (q)m °f states in M at which this for- 
mula is true, formally {<Am — {s € G j M, s fy a}. If M is clear from the context 
we omit the subscript M. Furthermore, we define functions AX, AY, K { , Er, Hr 
from 2 g to 2° as follows: 

— AX(Z) = {$ € G | for every s' € G if (s, s') € T, then s' € Z}, 

— AY(Z) = {s € G | for every s' e G if (s', s) e T, then s' € Z}, 
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- K i(Z) = {s £ G | for every s' £ G if (i, s') £ T* and s ~ s', then s' £ Z }, 

- E r (Z) — {s £ G | for every s' £ G if (t, s') £ T* and $ s', then s' £ Z}, 

- D r(Z) = {s £ G | for every s' £ G if (l, s') £ T* and s ~p s', then s' £ Z}. 

Observe that {Oa) = 0((a)), for O £ {AX, AY,K*,Er, Dp}. Then, the 
following temporal and epistemic operators may be characterized as the least 
or the greatest fixed point of an appropriate monotonic (f)-continuous or 1J - 
continuous) predicate transformer. 

- (AGa) = uZ.(a)nAX(Z), 

- (A(aU/?)> = fiZ.(P) U «a> n A X(Z)), 

- (AHa) = vZ.{a) n AY(Z), 

- {Cpoc) = uZ.Ep(Z n (a)) 

The first three equations are standard (see [6], [3] ), whereas the fourth one 
is defined analogously taking account that ~p is the transitive, and reflexive 
closure of 

6 Symbolic model checking on CTL P K 

Let M = (/C, V) with )C — (G,W,T,~ i, ..., ~ n , *,). Recall that the set of global 
states G = is the Cartesian product of the set of local states (without 

loss of generality we treat the environment as one of the agents). 

We assume Li C {0, l} ni , where n* = [log 2 (|L»|)l and let ni + . . . + n n = m, 
i.e., every local state is represented by a sequence consisting of 0’s and 1’s. 
Moreover, let Di be a set of the indexes of the bits of the local states of each 
agent i of the global states, i.e., D\ = {1, . . . ,ni}, . . . ,D n = {m — n n + l, . - - ,m}. 

Let VV be a set of fresh propositional variables such that VV H Wk = 
Fpv be a set of propositional formulas over VV, and lit : {0, 1} x VV — ► Fpy 
be a function defined as follows: lit(0,p) = -«p and lit(l,p) = p. Furthermore, 
let w = (w[l ], . . . ,w[m]), where w[i] £ VV for each i = 1, . . . , m, be a global 
state variable. We use elements of G as valuations 4 of global state variables in 
formulas of F^y. For example w[ 1] A w[ 2] evaluates to true for the valuation 
q = (1, . . . , 1), and it evaluates to false for the valuation q = (0, . . . , 0). 

Now, the idea consists in using propositional formulas of F-py to encode sets 
of states of G. For example, the formula w[l\ A ... A w[m] encodes the state 
represented by (1, . . . , 1), whereas the formula u>[l] encodes all the states, the 
first bit of which is equal to 1. 

Next, the following propositional formulas are defined: 

- I 3 {w) := 

This formula encodes the state s — (s\, , s m ) of the model, i.e., Si = 1 is 
encoded by w[i\, and Si = 0 is encoded by — 

- H(w,v) := Aiii M*] «[»]• 

This formula represents logical equivalence between global state encodings, 
representing the fact that they represent the same state. 

4 We identify 1 with true and 0 with false. 
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Zol~ 


— T(w , v) is a formula, which is true for a valuation (si, . . . , s m ) of 
(tu[l],. ■ • ,tu[m]) and a valuation of (u[l], . . . ,v[m]) iff 

€ T. 

Our aim is to translate CTL P K formulas into propositional formulas. Specifi- 
cally, for a given CTL p K formula 0 we compute a corresponding propositional 
formula [0](w), which encodes those states of the system that satisfy the for- 
mula. Operationally, we work outwards from the most nested subformulas, i.e., 
the atoms. In other words, to compute [Oa](tu), where O is a modality, we work 
under the assumption of already having computed [a](u>). To calculate the ac- 
tual translations we use either the fixed point or the QBF characterization of 
CTLpK formulas. For example, the formula [AXa] (tu) is equivalent to the QBF 
formula Vv.{T(w,v) [a](v)). We can use similar equivalences for formulas 
AYa, K*a, D^a, E^a. More specifically, we use the following three basic algo- 
rithms. The first one, implemented by the procedure forall , is used for formulas 
Oa such that O € {AX, AY, K i? Dr , E r }. This procedure eliminates the univer- 
sal quantifier from a QBF formula representing a CTL P K formula, and returns 
the result in a conjunctive normal form. The second algorithm, implemented by 
the procedure gfpo, is applied to formulas Oa such that O G {AG, AH, Cp}. 
This procedure computes the greatest fixed point. For the formulas of the form 
A(aU/3) we use a third procedure, called IfpAU* which computes the least fixed 
point. In so doing, given a formula 0 we obtain a propositional formula [0] (w) 
such that 0 is valid in the model M iff the conjunction [0}(w) is satisfiable, 

i.e., t G {/?). Below, we formalize the above discussion. 

Definition 5 (Translation for UMC). Given a CTL P K formula ip, the propo- 
sitional translation [ip] (tu) is inductively defined as follows: 

• [p]M := V s€(p) f° T P e VV K, 

• ba](tw) := ->[<*](«;), 

• [a A 0\(w) := [a] (to) A [0\{w), 

• [a V /3](to) := [a](iu) V [0]{w), 

• [AXq](u)) := forallly, ( T(w,v ) =$>- [a](v))), 

• [AYa](u>) := forall(v, ( T(v,w ) =£- [a](u))), 

• [Kia](io) := forall(y, (( Hi(w,v ) A -> gfpAH{-'hiv))) [<*](«))), 

• [D r a](io) := forall(v, ((/\ ier Hi(w,v) A -> sSiahKW)) => [<*](«))), 

• [E r a](to) := forall(v,((\J ier H,(w,v) A-> 9}pah{^I0v))) =*• [a](v))), 

• [AGa](uO :=Ag(WW), 

• [A(aU/3)](tu) :=lfyAu([a]{w),[P](w)), 

• [AHa](io) :=gfpAH([a](w)), 

• [C r a](to) :=gfpc r {[a\(w)). 

The algorithms gfp and Ifp are based on the standard procedures computing 
fixed points, 

procedure gfpAG([&](w)) > where a is an CTL p K formula 
let Q(w) = [true](tu) f Z(w) = [a](iw) 
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while ~i (Q(w) => Z{w)) is satisf iable 
let Q(w) = Z(w) y 

let Z(w) =forall(Vy (T(w,v) =» Z(v))) A [a](w) 
return Q(w) 

The procedure gfpAH is obtained by replacing in the above forall(v , (T(w y v) => 
Z(v))) with forall(Vy (T(v,w) Z{v))). 

procedure gfpc r ([ a ]{ w )) > where a is an CTL p K formula 

let Q(w) = [true](w) y Z(w) =forall(y 1 ((\/ i ^ r Hi(w,v) A-. gfpAH (ph(v))) => 

MO))) 

while => Z(u/)) is satisf iable 

let Q(w) = Z(tu) , 

let Z(w) ~forall(v, (\/ ier Hi{w,v) A-> gfpAiiiph 0)) =* (^0) A MO)))) 

return Q(iu) 


procedure J/?U£/([a:](u>), [/?](u>)) , where a,/3 are CTL p K formulas 
let Q(tu) = [false] (w) , Z(w) = [0\{w) 
while -*(Z(w) => Q(w)) is satisf iable 
let Q(ty) = Q(w) V Z(tu) , 
let Z(vj) =forall(Vy (T(w,v) Q(u))) A [a](tu) 

return Q(iu) 


We now have all the ingredients in place to state the main result of this 
paper: modal satisfaction of a CTL P K formula can be rephrased as propositional 
satisfaction of an appropriate conjunction. Note that the translation is sound and 
complete (details of the proof are not given here). 

Theorem 2 (UMC for CTL P K). Let M be a model and <p be a CTL p K formula . 
Then , M\= <p iff [<p](w) A I L (w) is satisfiable . 

Proof Notice that I v (w) is satisfied only by the valuation l — (ti , of 

w = (w[l], . . . , it; [to]). Thus [<p]{w) A I t (w) is satisfiable iff [<p]{w) is true for the 
valuation i of w. On the other hand for a model M, M |= (p iff M, i [= </?, i.e., 
i E ((f). Hence, we have to prove that t E ((f) iff [(^](u/) is true for the valuation 
l of tt/. The proof is by induction on the complexity of g>. The theorem follows 
directly for the propositional variables. Next, assume that the hypothesis holds 
for all the proper sub-formulas of <p. If (p is equal to either ->a, a A /?, or a V /3, 
then it is easy to check that the theorem holds. 

For the modal formulas, let P be a set of states and ap(w) a propositional 
formula such that ap(w) is true for the valuation s = (si,...,s m ) of w — 
(u>[l], . . . , w[m]) iff s E P. Note that given any P, ap is well defined: since the 
set G of all states is finite, and one can take V 5 <=p &s O'p(iu). Consider <p 
to be of the following forms: 


15 



• <p = AY a. We will prove that i G (AY a) iff the formula [AYa](m) is true for 
the valuation i of w. 

First we prove that: 

(*) s G AY(P) iff the formula \fv.(T(v, w) => ap(v)) is true for the valuation 
s of w. 

s G AY (P) iff s € {s' G G\ for every 5" G G if (*",*') G T, then 5" € P}. 
On the one hand, (s", s') € T iff T(v, w) is true for the valuation s' of w and 
the valuation s" of v. Moreover, s" G P iff the formula ap(u) is true for the 
valuation s" of u. Thus s G AY(P) iff the formula T(v,w) => ap(v) is true 
for the valuation s of w and every valuation s" of v. Hence, s G AY(P) iff 
the QBF formula \fv.(T(v,w) ^ ap(u)) is true for the valuation s of w. 
Therefore, 1 G (AYa) iff t G AY((a)) iff (by the inductive assumption and 
(*)) the formula (Vu.(T(u,u;) =$■ [a](u))) is true for the valuation 1 of w iff 
(by Theorem 1 ) the propositional formula forall(v , T(u, iu) => [a](u)) is true 
for the valuation t of w iff [AYa] (in) is true for the valuation t of w. 

• = AXa. The proof is analogous to the former case. 

• p = AHa We will show that 1 G (AHa) iff formula [AHa] (w) is true for the 
valuation 1 of w. 

First we prove that: 

(*) s G vZ.P n AY(Z) iff the formula gfpAH {&p{w)) is true for the valuation 
s of w. 

Let r(Z) — P D AY (Z), then $ G z/Z.r(Z) iff s G rit>o Tl (^) (^ 5 G 
fVo^true)). Thus, s G 1 /Z.r(Z) iff s G r*(G) for the least z such that 
r l (G) C r t+1 (G) since for every i> 0 we have r l+1 (G) C r l (G). On the other 
hand, s G t(Z) iff formula ap(w) AVv.(T(v, w) => a^(u)) is true for the val- 
uation s of in iff (by Theorem 1 ) formula ap(w)Aforall(y , T(u, in) => az(n)) 
is true for the valuation s of w. 

Let Z°(w) = atp(w) and Z l (w) = ap(w) A forall(v,(T(v,w) Z 1 ” 1 ^))) 
for i > 0 . Notice that s G r*(G) iff Z l (w) is true for the valuation s 
of w. Moreover, Qi(u;) = Z i_ 1 (ii;) and Zt(u;) = Z x {yo) are invariants of 
the while-loop of the procedure gfpAH (ap(xn)). Hence on the termination, 
when Qi 0 (w) => Z zo (in), where zo is the least z such that Qi(w) Zt(rn), 
(#p(^)) = < 3 io (u>) Is a formula that is true for the valuation s of w iff 
s G i/Z.t(Z). 

Therefore, t G (AHa) iff t G i/Z.(a)nAY(Z) iff (by the inductive assumption 
and (*)) the propositional formula gfpAH {[&]( w )) Is true for the valuation l 
of w iff propositional formula [AHa] (in) is true for the valuation 1 of w. 

• ip = AGa | Cpot | A(aU/ 3 ). The proof is analogous to the former case, 

• <p — K ia. In order to show that 1 G (Kja) iff formula [Kia](zn) is true for 
the valuation 1 of tu, first we prove that: 

(*) s G K*(P) iff the formula Vv.(-i gfpAH (-Tt(u)) A Hi(w,v) ap(v)) is 
true for the valuation s of in. 

To this aim we prove the following two facts: 

(**) (z,s") G T* iff gfpAH is true for the valuation s" of v. 
Observe that s rf G G\{z} iff ~^I L (v) is true for the valuation s" of v. On the 
other hand (t, s") <£ T* iff s" G pZ.(G\{z}) H AY (Z). Hence (t,s") G T* iff 
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s" vZ.{G\{i }) Pi AY (Z) iff gfpAH is false for the valuation s" of v 
iff gfPAH )) is true for the valuation s" of v. 

(***) s' s" iff Hi(w, v) is true for the valuation s' of w and the valuation 
s" of v. 

s' ~i s" iff li(s') = li(s") iff f\ j€D . s' = s'! iff formula f\j €D . w[j] «[?] is 
true for the valuation s' of w and the valuation s" of v iff Hi(w>v) is true 
for the valuation s' of w and the valuation s" of v . 

Thus by (**) and (***), s £ K i(P) iff for the valuation s of w and every 
valuation s" of v formula -^gJpAH^Itiv)) A Hi(w,v) =4> ap(v) is true iff 
the QBF formula Vv,(^gfp A H(^I L (v)) A H l {w,v) =>> ap(v)) is true for the 
valuation s of w. 

Therefore, t £ (K iOt) iff t £ K*({a)) iff (by the inductive assumption and 
(*)) the formula yv.(-^gfp A H(-^I t (v)) A Hi(w,v) => [a](u)) is true for the 
valuation t of w iff (by Theorem 1 ) the propositional formula 
forall(v , Af7i(w, v) [a](tO)) is true for the valuation i of 

w iff [K ia}(w) is true for the valuation i of w. 

• ip = Dpa | E pa. The proof is analogous to the former case. 

6.1 Optimizations of algorithms 

In our implementation we apply some optimizations to the fixed point computing 
algorithms described above. Precisely, we compute [AGa](u/) and [AHa](w) by 
using the following frontier set simplification method [11]. Define the formula 
(Vu.a) | <5, representing some propositional formula such that 5 A (Vu.o;) l S is 
equivalent to 5 A Vu.a. The formula (Vu.a) | 5 is computed using the procedure 
forall with a slight .modification. Next, we compute [AGa](tu) as the conjunction 
of the following sequence: Zi(w) = [a](w), Z iA .i{w) = (Vu.(T(it;, v) => Zi(v))) | 
K j=1 Zj{w), The sequence converges when forall (v^(T(w y v) => 

Zi(v))), in which case Zi+i(w) is the constant true. The procedure fssm A o for 
computing [AGu](iy) is as follows. 

procedure /ssm^G(M(^))> where a is an CTL p K formula 
let Z(w) — Q(w) = [a](m) 
while Z(w) 7 ^ true 

let Z(w) = (Vv.(T(w,v) => Z(v))) l Q(w) 
let Q(w) — Q(w) A Z(w) 
return Q(w) 

The procedure fssm A p for computing [AHa](m) is obtained by replacing in the 
above v) => Z(v))) J, Q{w) with (Vu.(T(u,u;) Z(v))) [ Q{w). Simi- 

lar procedure can be obtained for computing formulas [Cra](w). 

7 Example of Train, Gate and Controller 

In this section we exemplify the procedure above by discussing the scenario of 
the train controller system (adapted from [20]). The system consists of three 
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agents: two trains (agents 1 and 3), and a controller (agent 2). The trains, one 
Eastbound, the other Westbound, occupy a circular track. At one point, both 
tracks pass through a narrow tunnel There is no room for both trains to be in 
the tunnel at the same time. Therefore the trains must avoid this to happen. 
There are traffic lights on both sides of the tunnel, which can be either red or 
green. Both trains are equipped with a signaller, that they use to send a signal 
when they approach the tunnel. The controller can receive signals from both 
trains, and controls the colour of the traffic lights. The task of the controller is 
to ensure that the trains are never both in the tunnel at the same time. The 
trains follow the traffic lights signals diligently, i.e., they stop on red. 



Fig. 1. The local transition structures for the two trains and the controller 


We can model the example above with an interpreted system as follows. The 
local states for the agents are: 

• Ltrain-i = {awayi , waiti, tunneli}, 

• ^controller ^ {red, gVCCTl 

• Ltraini = {away 2 , wait 2 , tunne/ 2 }* 

The set of global states is defined as G = L tr aim x L controller x Ltrainz* Let 
l = [awayi, green, away 2 ) be the initial state. We assume that the local states 
are numbered in the following way: awayi := 1, waiti “ 2, tunneli := 3, 
red; = 4, green := 5, away 2 := 6, wait 2 7, tunned := 8 and the agents are 
numbered as follows: traini := 1, controller := 2, train 2 := 3. Thus we assume 
a set of agents A to be the set {1, 2, 3}. 

Let Act = {ai, ..., 06 } be a set of joint actions. For a Act we define the 
preconditions pre(a), postconditions post(a ), and the set agent[ a) containing 
the numbers of the agents that may change local states by executing a. 

• pre(oi) = {1}, post(ai) = {2}, agent(a x ) = {!}, 
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• pre{a 2 ) = {2,5 },post(a 2 ) = {3,4}, agent(a 2 ) = {1, 2}, 

• pre(a 3 ) = {3, 4},post(a 3 ) = {1,5}, apent(a 3 ) = {1,2}, 

• pre(a 4 ) = {6},post(a 4 ) = {7}, agent{a±) = {3}, 

• pre(a 5 ) = {5, 7},post(a 5 ) = {4,8}, apent(a 5 ) = {2,3}, 

• pre(a 6 ) = {4, S} y post(a 6 ) = {5,6}, a^ent(a 6 ) = {2,3}. 

In our formulas we use the following two propositional variables in-tunneli and 
in~tunnel 2 such that in-tunneh £ V(s) iff itrami(s) = tunneli , in-tunned £ 
V(s) iff ^ram 2 (s) = tunnel 2 , for s £ (3. 

We now encode the local states in binary form in order to use them in the 
model checking technique. Given that agent train\ can be in 3 different lo- 
cal states we shall need 2 bits to encode its state; in particular we shall take: 
(0, 0) = away i , (1, 0) = waiti , (0, 1) = tunnel\. Similarly for the agent train 2 \ 
(0,0) = away 2y (1,0) = wait 2 , (0,1) = tunnel 2 . The modelling of the lo- 
cal states of the controller requires only one bit: (0) = green , (1) = red. In 
view of this a global state is modelled by 5 bits. For instance the initial state 
l — (awayi, green, away 2 ) is represented as a tuple of 5 0’s. Notice that the first 
two bits of a global state encode the local state of agent 1, the third bit encodes 
the local state of agent 2, and two remaining bits encode the local state of agent 
3. We represent this by taking: D 1 = {1,2}, D 2 = {3}, D 3 = {4,5}. 

Let w = (tu[l], ...,tu[5]), v = (u[l], ...,u[5]) be two global state variables. We 
define the following propositional formulas over w and v: 

• I L {w) := A i€ DiUD 2 ur> 3 

this formula encodes the initial state, 

• Hi(w, v) := J\ jeD . w[j] v\j], 

the formula where i £ A y represents logical equivalence between 

local states of agent i at two global states represented by variables w and u, 

• pi(w) := ->w[ 1] A -itu[2], p 2 (w) :— ru[l] A -<iu[2], p 3 (w) := ->u;[l] A zu[2], 
p 4 (zn) :— m[3], Ps(m) := ->ty[3], pe(tu) := ^m[4] A-nn[5], P 7 (tn) := m[4] A~vu;[5], 
p 8 (u;) :— — >tu[4] Atu[5], 

the formula Pj(ty), for j = 1,...,8, encodes a particular local state of an 
agent. 

For a E Act , let B a := Uie>i\apent(a) A set °f labels of the bits that 

are not changed by the action a, tnen 

• T{w,v) := \/ aeAct (A jepre{a) Pj(w)A/\ jepostM p j (v)Af\ jeBa (w[j]<^v{j}))v 

(f\a.£Act V jepre(a) (~'Pj{ w )) ^ /\jeD 1 UD 2 UD 3 (Mil vbl))- 
Intuitively, T(w,v) encodes the set of all couples of global states s and s' 
represented by variables w and v respectively, such that s' is reachable from 
s, i.e., either there exists a joint action which is available at s and s' is the 
result of execution a at $ or there is not such an action and s' equals s. Notice 
that the above formula is composed of two parts. The first one encodes the 
transition relation of the system whereas the second one adds self-loops to 
all the states without successors. This is necessary in order to satisfy the 
assumption that T is total. 
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Consider now the following formulas: 


• a 0 = ->AX(-tm_tunneZi), 

• ai = AG (iri-tunneli => Kt ra i ni (-«m_ tunneh))*, 

• a 2 = AG(~fin^.tunneli (^K traini in-tunnel 2 A -JK t ra mi (*^in_tunneZ 2 )))> 

where in-tunnel\ (respectively in-tunnel 2 ) is a proposition true whenever the 
local state of train\ is equal to tunneli (respectively the local state of train 2 is 
equal to tunnel 2 ). 

The first formula states that agent train! may at the next step be in the 
tunnel. The second formula expresses that when the agent traini is in the tunnel, 
it knows that agent trains is not in the tunnel. The third formula expresses that 
when agent traini is away from the tunnel, it does not know whether or not 
agent train 2 is in the tunnel. 

As discussed above, the translation of propositions in-tunnel\ and in-tunnel 2 
is as follows: 

• [in-tunnel^\{w) — -iiy[l] A w[ 2], 

• \in-tunnel^[{w) — 4] A w[5\. 

Next, we show how to translate the formula ao: 

[ao](tu) = [-• AX(^in-tunneli)](w ) = ^[AX(^in~tunneli)](w). 

The formula [AX tunnel i)](w) is computed as follows: 
[AX(^in-tunneli)){w) = forall(v,T(w,v) =» [~^in-tunneli]{v)) = 
forall(v,T(w,v) (“i(-nv[l] A u[2]))) = forall(v,T(w,v) (v\l] V-<u[2])). 
Consequently [ao](ttf) = -^forall(v ) T(w,v) (t/[l] V-iv[2])) and [ao] (w) A I L (u>) 
= -iforall(v,T(w,v) => (u[l]V->u[2])) AJ t (zn) = ({w[l\ A->w[2] A-<u;[3]) V(->u;[l] A 
w{2] A -*w[ 3] A ->tu[5]) V (->u?[l] A w[2] A w{2] A ->u;[4]) V (— »xu[l] A w[2] A ~^u;[3] A 
-*w[4] V iu[5])) A I L (w) = false. Therefore ao is not vahd in the model. 

But, both the formulas ai and a 2 valid in the model since 
[ai](tu) A I L (w)~true A I L (w)= —>tc;[ 1] A ->n/[2] A ->w[3] A -*w[ 4] A ->u;[5] and 
[a 2 ] (w) A I L (w) = (-'W [1] V -m> [2] ) A 7 t (w) = — «ti; [1] A -w [2] A -«tu [3] A w [4] A -ad [5] . 
This corresponds to our intuition. 

8 Preliminary Experimental Results 

In this section we describe an implementation of the UMC algorithm and present 
some preliminary experimental results for selected benchmark examples. 

Our tool, unbounded model checking for interpreted systems, is a new module 
of the verification environment VerICS [5]. The tool takes as input an interpreted 
system and a CTL P K formula <p and produces a set of states (encoded symbol- 
ically), in which the formula holds. The implementation consists of two main 
parts: the translation module and the forall module. According to the detailed 
description in former sections, each subformula ip of ip is encoded (by the trans- 
lation module) by a QBF formula which characterizes all the states at which 
ip holds. In case of checking a modal formula, the corresponding QBF formula 
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9 


is then evaluated by the forall module, which is implemented on the top of the 
SAT solver Zchaff [13]. The whole tool is written in C++ making intensive use 
of STL libraries. 

The tests presented below have been performed on a workstation equipped 
with the AMD Athlon XP+ 2400 MHz processor and 2 GB RAM running under 
Linux Redhat. For each of the results we present the time (in seconds) used by 
VerICS and Z chaff, and give RAM (in kB) consumed during the computation. 


8.1 Train, Gate and Controller - example parameterized 

The first example we have tested is the train, gate and controller system pre- 
sented in Section 7. In order to show how the algorithm copes with the com- 
binatorial explosion, this example is parameterized with the number of trains 
N. For a given N £ {2,4, 6}, we have generalized the property 02 of Section 
7 to N trains: 02 (N) = AG(-nn -tunnel 1 =+ (” ) K tra i ni f \ i=2 ttN ^in-iunneli A 

""Strain 1 \Zi=2..7V tHTlTlGlij) . 

The results (time and memory consumption) are presented in the Table 1. 
SAT- time denotes the amount of time necessary to determine by means of un- 
modified Z chaff whether the obtained set of states contains an initial state (this 
is a SAT problem). 


OC2(N) 1 

N 

CNF clauses 

UMC-mem 

UMC-time 

SAT-time 

2 

557 

2260 kB 

0.12 s 

0.01 s 

4 

5214 

8376 Mb 

1.51 s 

0.01 s 

6 

58489 

64 MB 

46.55 s 

0.01 s 


Table 1 . Experimental results for Train-Gate-Controller 


8.2 Attacking Generals 

The second analyzed example is a scenario of the coordinated attack problem, 
often discussed in the area of MAS, distributed computing as well as epistemic 
logic. It concerns coordination of agents in the presence of unreliable communi- 
cation. It is also known as the coordinated attack problem [8]. 

For the purpose of this paper, we choose a particular joint protocol for the 
scenario and verify the truth and falsehood of particular formulas that capture 
its key characteristics. The variant we analyse is the following (for more detailed 
protocol description we refer to [10]) : 

After having studied the opportunity of doing so, general A may issue a 
request- to-attack order to general B. A will then wait to receive an ac- 
knowledgment from B, and will attack immediately after having received 
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it. General B will not issue request-to-attack orders himself, but if his 
assistance is requested, he will acknowledge the request, and will attack 
after a suitable time for his messenger to reach A ( assuming no delays) 
has elapsed. A joint attack guarantees success, and any non-coordinated 
attack causes defeat of the army involved (Fig. 2). 

Figure 2 presents three scenarios for the agents involved in the coordinated 
attack problem. The rounded boxes represent locations (local states), while the 
arrows denote transitions between locations. The beginning location for each 
agent is in bold. The transitions sharing labels are executed simultaneously (i.e., 
synchronize). The local states for the agents are listed below: 

® Lgcticto^Ia — {"wait a , order a , ackA , win a )■ , 

• ^General B — {waits, orders, readys, wins, fails}, 

• -f ' Environment ~ {waits, Orders, acks, CCk-loSts}- 

In our formulas we use the following propositional variables: attack a and attacks 
meaning that corresponding General has made the decision of attacking the 
enemy, success a and success b meaning the victory of each General and finally 
fails which denotes the defeat of General B (and both Generals). For s € G: 

• attack A G V(s) iff lGenerai A (s) G {win A ,ack A } 

• success A G V(s) iff lGeneral A (s ) G {win A } 

• attacks G V(s) iff lGenerai B ( s ) € {orders , wins, readys, fails} 

• successs G V(s) iff lGeneral B ( s ) ^ {^b} 

• fails £ ^00 Iff ^General B {^) C {/az£jg} 

Below we present some properties we test for the coordinated model problem. 
Results of the tests are listed for each property in the same way as in the previous 
example. 

• Pi = AG (attacks => KA^BoMackA) 

• #2 = EF(C{^£} (attack a A attacks )) 

The property Pi states that if the general B decides to attack, then the general 
A knows that B knows that A will attack the enemy. The property P 2 expresses 
that there is a possibility of achieving common knowledge about the decision of 
attacking the enemy. The experimental results for this example are given in the 
Table 2. 


Property 

CNF clauses 

UMC- memory 

UMC-time 

SAT-time 

Pi 

917 

1488 kB 

1.08 s 

0.02 s 

■ lh 

971 

2300 kB 

1.54 s 

0.01 s 


Table 2. Experimental results for the coordinated attack problem 
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Fig. 2. The attacking generals scenarios 


9 Conclusions 

Verification of multi-agent systems is quickly becoming an active area of research. 
In the case of model checking, plain temporal verification is not sufficient because 
of the variety of modalities that are commonly used to specify multi-agent sys- 
tems. In this paper we have extended the state-of-the-art of the area by providing 
a model checking theory to perform unbounded model checking on a temporal 
epistemic language interpreted on interpreted systems. This surpasses the pos- 
sibilities available already with other SAT-based approaches, namely bounded 
model checking, in that it is possible to check the full CTLK language, not just 
its existential fragment. 

It should be noted that our tool provides only a preliminary implementation 
of UMC. The major problem we found was that blocking clauses are defined 
only over input variables V . This often seemed to be a too finer description 
and lead to generating exponentially many clauses (as can be seen in Table 1). 
We have found that the Alternative Implication Graph IG(A', t ft) usually gives 
shorter blocking clauses only for simple formulas, while formulas encoding “real” 
UMC problems produce clauses over all literals of V. In future work we shall 
investigate the conjecture of K. McMillan stating that by allowing in blocking 
clauses literals corresponding not only to state vectors, but also to subformulas, 
one could obtain a dramatic improvement in performance. 
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